Malware spam: "New Fax Message" / administrator@local-fax.com leads to TrickBot

This fake fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

From:    Administrator [administrator@local-fax.com]
To:    annie@[redacted]
Date:    1 November 2016 at 13:28
Subject:    New Fax Message
Signed by:    local-fax.com

Confidential Fax
Date: 01/11/2016
Recipient: annie@[redacted]
From: +443021881211
Attn:
Important document: For internal use only
The documents are ready. Check attached file for more information.

[THIS IS AN AUTOMATED MESSAGE - PLEASE DO NOT REPLY DIRECTLY TO THIS EMAIL]

Confidentiality Notice: The information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax - except its direct delivery to the intended recipient - is strictly prohibited. If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable.

Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54. Both the Malwr report and Hybrid Analysis give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:

www.tessaban.com/img/safafaasfasdddd.exe

This is a hacked legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr and Hybrid Analysis reports give the following suspect traffic:

91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)

I can match all those IPs except the last to this ThreatGeek report, those IPs are a mix of what looks like dynamic IPs for hacked home users and static ones (highlighted):

5.12.28.0 (RCS & RDS Residential, Romania)
27.208.131.97 (China Unicom, China)
36.37.176.6 (VietTel, Cambodia)
37.1.209.51 (3NT Solutions LLP, UK)
37.109.52.75 (Cyfrowy Polsat, Poland)
46.22.211.34 (Inferno Solutions aka 3NT Solutions LLP, UK)
68.179.234.69 (ECTISP, US)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.103 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
104.250.138.194 (Sean Sweeney, US / Gorillaservers, US)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
188.116.23.98 (NEPHAX, Poland)
188.138.1.53 (PlusServer, Germany)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)

3NT Solutions (aka Inferno Solutions / inferno.name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit. FLP Kochenov Aleksej Vladislavovich aka uadomen.com has appeared here so many times [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] that really I have to categorise that as an Evil Network too.

If we excise the domestic IPs and blackhole the 3NT / Inferno / uadomen.com ranges we get a recommended blocklist of:

37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24

However, there's more to this too. The original email message is actually signed by local-fax.com and it turns out that this domain was created just today with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking.

All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously enough..

Malware spam: "This is to inform that the transaction you made yesterday is declined." leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Transaction declined
From:     Chandra Frye
Date:     Tuesday, 1 November 2016, 10:48

Dear [redacted],

This is to inform that the transaction you made yesterday is declined.

Please look through the attachment for the verification of the card details.

Best Regards,
Chandra Frye

The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs) which looks like this [pastebin]. That particular sample plus one other I received communicates with the URLs below, but you can be sure that there are many more examples:

51qudu.com/mqy2pj4
bjzst.cn/qgq4dx
danapardaz.net/zrr8rtz
litchloper.com/66qpos7m
creaciones-alraune.es/dx8a5
adasia.my/f5qyi10
alecrim50.pt/g28w495t
zizzhaida.com/a0s9b
silscrub.net/07ifycb

Hybrid Analysis is inconclusive. If I get hold of the C2s or other download locations then I will post them here.

UPDATE

My usual reliable source tells me that these are all the download locations:

17173wang.com/f6w0p
176.9.41.156/rodru
4office.pl/zyjkry6
51qudu.com/mqy2pj4
akbarcab.com/p8vw992v
alpinivel.pt/as4jcmm
americanjuniorgolfschool.com/hkba7
apiaa.ro/jqm6ltfw
atech.co.th/lyyrdp9
badyna.pl/saf0zv
baoan99.com/jllkv
baranteks.com/hrnf0q44
beesket.com/jrd8d411
bikebrowse.com/mjjoy
biolume.nl/rq8mabk
bionorica.md/m61yk
birim.org/x5s8d
bisskultur.de/rawmjx
bjsunny.net/claocm
bjzst.cn/qgq4dx
blastech.cc/nsg5xyi
carsmotor.net/stab2
cascinamatine.com/a7w59h
cdxybg.com/iribzm
charoenpan.com/jv4fj
chbeirlaw.com/oyem1
civc.co.uk/y5rcauj
containermx.com/vzndc
creaciones-alraune.es/dx8a5
crossfitgladstone.com/orfx8
cvanchen.com/m61yk
danapardaz.net/zrr8rtz
daricacicekci.com/jqec1k7r
doctornauchebe.it-strategy.ru/k1d7d
eatfatlosefat.com/yx7s1
ebooks.w8w.pl/slhj1l
econsult.com.tw/dqtvy
fieldserviceca.net/dndovr
koranjebus.net/1bpsrbfa
koranjebus.net/4rwg5
koranjebus.net/94rgo
koranjebus.net/9fif0
litchloper.com/2be1xz
litchloper.com/66qpos7m
litchloper.com/96iq4o
litchloper.com/9qknusm
nbsbjt.net/icefdwl
silscrub.net/40l8w
silscrub.net/79d6w4
sonsytaint.com/0dqj0dd
sonsytaint.com/4mgxlrf
sonsytaint.com/89hs1ix
zizzhaida.com/3m6ij
zizzhaida.com/98g4ubq

These are the C2s:

91.234.32.202/linuxsucks.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
81.177.22.164/linuxsucks.php (NETPLACE, Russia)

Recommended blocklist:
91.234.32.202
81.177.22.164

Malware spam: "Wrong tracking number" leads to Locky

This spam email leads to Locky ransomware:

From     "Samuel Rodgers"
Date     Mon, 31 Oct 2016 15:21:22 +0530
Subject     Wrong tracking number

It looks like the delivery company gave us the wrong tracking number.

Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.

The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script [pastebin] named something like tracking number A99DB PDF.vbs.

That script tries to download a component from:

tastebudsmarketing.com/uw6lin
mechap.com/xd7uh
coffeeteashop.ru/daz2rp
ficussalm.com/0bqzcn96
waynesinew.com/0fqt9he1

There will no doubt be other locations. At present I do not have those or the C2 servers, but will update this post if I get them.

UPDATE

The full list of download locations is as follows (thank you to my usual source):

365cuit.com/d9x9f0
7ut.ru/ge9j0et2
8hly.com/jc45tun
a1akeyssportfishing.com/etrt5
academy24.nl/k6lxc
aconetrick.com/2ejczfc
aconetrick.com/564nr0
aconetrick.com/6yoajl7
aconetrick.com/bwt2ixo
ami-mo.ca/k5xhdz2
ami-mo.ca/kr641jxw
archilog.at/imwjmt
architectureetenvironnement.ma/g31701d
badznaptak.pl/inlgm49
bebmila.it/eczde9
buenotour.com/j97s7
business-cambodia.com/he8wtc
campossa.com/vjbfdtj
cdqdms.com/d887wn9
cintasuci.com/cl6pa
coffeeteashop.ru/daz2rp
comistus.net/j6y95
customrestaurantapps.com/gn7c2se
dgtoca.net/d1wr3
dicresco.vn/gq1bjtbb
ecig-ok.com/luflbx4
eijsvogel.nl/gpbka1n2
elgrandia.com.mx/ginlp2f
epsihologie.com/jd2qrzg
eredmenyek.net/ff2i98t
ficussalm.com/0bqzcn96
ficussalm.com/2m6u1jt9
ficussalm.com/65s3r
ficussalm.com/8pmjmwp
financesystem.net/inliid
frijaflail.com/21fpb
frijaflail.com/37cu2
frijaflail.com/6u982pak
frijaflail.com/bnrxxvsk
mcmustard.com/u6ll6y
mechap.com/xd7uh
personalizar.net/nrwnmk
personalizar.net/qz5x2mmr
robertocostama.com/xyulv
shouwangstudio.com/xkocl94
sintasia.com/ziyd0iap
tastebudsmarketing.com/uw6lin
thegioitructuyen.org/rw6ost0e
timwhid.com/1mdm3
timwhid.com/33ck9bxc
timwhid.com/6twktm
timwhid.com/bnkxqf
tjbjpw.com/wsdou72d
tonglizhongji.com/xia3fu0
tropicalcoffeebreak.com/mqomzf
utopiamanali.com/tylv91
valpit.ru/syrwg2r3
vedexpert.com/zt4ug
visualtopshop.com/svnjzk9
warisstyle.com/sq1sae
wayneboyce.com/u5ahu
waynesinew.com/0fqt9he1
waynesinew.com/2psuru2
waynesinew.com/67egbs
waynesinew.com/9li2sv1r
wbakerpsych.com/mm3kuv
wedding-pix.net/u39ssq
wei58.com/wnticba
wklm.it/qjv1ap
xa12580.com/pq2xb
xhumbrella.com/rb374woh
yurtdax.com/wgltz
zbdesignsas.com/m13o692o
znany-lekarz.pl/wd7zj

The malware phones home to:

91.107.107.241/linuxsucks.php [hostname: cfaer12.example.com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks.php [hostname: shifu05.ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks.php (Ukrainian Internet Names Center aka ukrnames.com, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
5.187.7.111/linuxsucks.php (Fornet Hosting, Spain)

Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152

Malware spam: "Payment history" leads to Locky

Another morning, another spam run pushing Locky ransomware:

Subject:     Payment history
From:     Theodore Wilkins
Date:     Friday, 28 October 2016, 10:09

The payment history for the first week of October 2016 is attached as you requested.

Please review it and let us know if you have any question.

The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script [pastebin] (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].

There are many different variants of the script, downloading components from:

2rtt-2rm.ru/grb7c
92hanju.com/utl41nrt
a1plus2.de/ljwxw6vh
accubattery.eu/sjc2at
aegischina.com/yrp6eyv
agrobiciuffa.com.ar/l5e7m6i
allaboutseniors.in/wtm1i0yg
alpha-next.com/ssvmwa
angundoviz.com/lhk96wx
aoteatrial.net/02yls0
aoteatrial.net/142y5x
aoteatrial.net/4865ht
aoteatrial.net/7gojeo
artmusic.dk/izpv2d39
autoreal16.ru/r1j54weq
bachledowka.net/xausf
beauty-link.jp/umjwg8f
bikemielec.com/b7owupi
bircansigorta.com/s84vkrx
blaauw-woonidee.nl/hvlqf9v4
bts-site.nl/fb80j
bumbocubeb.net/04s7752
bumbocubeb.net/163yebg7
bumbocubeb.net/4rjsepe
bumbocubeb.net/8p54eb8
burdur-bld.gov.tr/usl1pm4
buron.dk/t8nh96d
butterflytiger.com/o7eancbx
caraudiogdl.com/zm74gwvw
cavafis.gr/ouyrvo
chanet.jp/mrf40le
chernozem-msk.ru/l5wvp4nc
clinicaharvard.com/umuyki
cmmsrilanka.lk/xztuej9
codelime.net/u9dhbjib
cronos-com.ru/hbxxkshz
dadou0531.com/gych5
dcproduction.fr/wrs9q6
dohere.net/zyme3z
dollheiser.de/v5oqpb4
doogo.com.ar/vw280ik8
drewnianaskrzynka.pl/nfw15wn9
eajhosting.nl/q7jijj3k
edhalper.it/tmnm2v
efb-demarco.de/ywkdd
eflproject.org/vco8bi
egda.pl/unu16fq9
elma.7080.ru/qe3sp3
energiclima.com/sesmgrv4
enzyma.es/lpzd1gev
er-mecanicautomotriz.com/fxlkkv
e-testers.it/jy5ipe3
eurobnr.ro/qd0gn425
euromac.es/oodhs
expert-as.ru/ulfzbh
finahistory.com/jhrni
hellomissdance.com/a03sf
helsby.biz/apwms
hltrader.com/audu4f4o
huodaibbs.com/bqmvde
ilmdesign.com/aos8ly25
joshdult.net/0ia6e4
joshdult.net/3c554n2
joshdult.net/73eqx7oc
joshdult.net/9p4eh
nowon.dk/woqb5j
plookseri.net/097ga
plookseri.net/1s4bzaa1
plookseri.net/5t9nja
plookseri.net/9jyg2s70
shop.ukrtk.com/ck6jfe2e
verdianthy.com/diqlfy1
weddingandfashion.it/djzuf5c
zencart.alpm.gogzmermedia.com/h0woq
zlotysalmo.net/0zx0ken3
zlotysalmo.net/3v8va8ov
zlotysalmo.net/75vepy6f
zlotysalmo.net/9v50aob

(Thank you to my usual source for this data). The malware phones home to:

83.217.11.193/linuxsucks.php [hostname: artkoty.fortest.website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks.php [hostname: tarasik1.infium.net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks.php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti.ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks.php (Dunaevskiy Denis Leonidovich, Ukraine)

It also attempts to contact the following URLs which appear to be dead:

pqrifsjpryygmip.pw/linuxsucks.php
uxpxpirusm.xyz/linuxsucks.php
wbaskcsxiffiax.info/linuxsucks.php
kcydflvipqsvqxw.work/linuxsucks.php
haxkbqwyudoeghlhj.biz/linuxsucks.php
mdecrwmtscal.su/linuxsucks.php
pqpmswodyqlbbjmwm.pl/linuxsucks.php
yppsuvfjmnsbi.org/linuxsucks.php
fpeuwdde.xyz/linuxsucks.php
qggdljlijbygeutc.click/linuxsucks.php
juiweirqvt.su/linuxsucks.php
gyhbiuo.ru/linuxsucks.php

A DLL is dropped with a detection rate of 12/57.

Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79

Moar Locky 2016-10-27

Lots of Locky today, here are some additional download locations for those naughty .wsf scripts.

139.162.29.193/g67eihnrv
1water.com.au/g67eihnrv
adenadataediting.com/g67eihnrv
aghadiinfotechforclient.com/g67eihnrv
agile-scrum-training.com/g67eihnrv
anandlab.com/g67eihnrv
axzio.com/g67eihnrv
banatlebanon.com/g67eihnrv
banknifty.com/g67eihnrv
bindaasdelhi.org/g67eihnrv
bmbuildingpteltd.com/g67eihnrv
bonzerwebsolutions.com/g67eihnrv
cambostudio.com/g67eihnrv
cardimax.com.ph/g67eihnrv
cfolio.uk/g67eihnrv
cibr.in/g67eihnrv
ctc.crru.ac.th/g67eihnrv
cttcleaning.com/g67eihnrv
davaomarbled.com/g67eihnrv
dev.searchthruster.com/g67eihnrv
dmlevents.com/g67eihnrv
dollsdelight.com/g67eihnrv
dreamruntech.com/g67eihnrv
drhairchandigarh.in/g67eihnrv
dryilmazyildirim.com/g67eihnrv
dssstaging.net/g67eihnrv
emkadogalgaz.com.tr/g67eihnrv
eurofranq.com/g67eihnrv
eventsaigon.com/g67eihnrv
fliermagas.net/g67eihnrv
flyingbtc.com/g67eihnrv
ftp-reklama.gpd24.pl/g67eihnrv
fullservicetech.com/g67eihnrv
goldseparator.com/g67eihnrv
hansdavisgroup.com/g67eihnrv
hoopwizard.com/g67eihnrv
imlearningsystems.com/g67eihnrv
infomazza.com/g67eihnrv
intomim.com/g67eihnrv
intralab.co.id/g67eihnrv
intrekmedya.com/g67eihnrv
italics.in/g67eihnrv
jackpotfutures.com/g67eihnrv
joshturansky.com/g67eihnrv
jus2chat.com/g67eihnrv
kakapublicity.com/g67eihnrv
kalkashimlataxiservice.in/g67eihnrv
kamerreklam.com.tr/g67eihnrv
kaushikjanmejay.com/g67eihnrv
kenshop18.com/g67eihnrv
koiatm.com/g67eihnrv
kursuskomputer.web.id/g67eihnrv
librahost.com/g67eihnrv
livingfreehomeramps.com/g67eihnrv
mangliks.com/g67eihnrv
marina-beach-resort-goa.com/g67eihnrv
mgregency.com/g67eihnrv
micaraland.com/g67eihnrv
mileshilton-barber.com/g67eihnrv
neu.sat-immobilien.de/g67eihnrv
olivierimmobiliare.com/g67eihnrv
paihotel.in/g67eihnrv
physioandpain.com/g67eihnrv
projects.seawindsolution.com/g67eihnrv
prototypingjob.com/g67eihnrv
pubbligrafica360.it/g67eihnrv
riverlifechurch.tv/g67eihnrv
saurabh-kachhadiya.comyr.com/g67eihnrv
scpolytechnic.com/g67eihnrv
sheela.diet/g67eihnrv
sonlightministries.com/g67eihnrv
sparezz.com/g67eihnrv
srisaioilfield.com/g67eihnrv
stinsonservices.com/g67eihnrv
sukienhoanggia.com/g67eihnrv
taipei-lottery.com/g67eihnrv
tasveeranarts.in/g67eihnrv
teachlanguage.net/g67eihnrv
themeonhai.com/g67eihnrv
tutorialcodeigniter.16mb.com/g67eihnrv
twoj-sennik.pl/g67eihnrv
ui.worklab.in/g67eihnrv
uniquebulldogpuppies.com/g67eihnrv
uniquecoders.in/g67eihnrv
videoregistrator.bg/g67eihnrv
vkwelaarts.co.za/g67eihnrv
webihawks.com/g67eihnrv
www.3shadz.com/g67eihnrv
www.acclaimenvironmental.co.uk/g67eihnrv
www.afsartorshiz.com/g67eihnrv
www.agrasentechnical.com/g67eihnrv
www.camko-motor.com/g67eihnrv
www.contentmantra.com/g67eihnrv
www.epmedia.it/g67eihnrv
www.hayatesabz.ir/g67eihnrv
www.kimabites.com/g67eihnrv
www.poddarprofessional.com/g67eihnrv
www.vibrantlove.co.uk/g67eihnrv
zinger.nl/g67eihnrv